Thycotic’s Cyber Security Publication

The 6 D’s of Cyber Security Part 1

April 7th, 2015

In this two-part series we will discuss the 6 D’s of cyber security and how you can implement them in your own cyber defense strategy. This week we look at Deter, Detect, and Defend. Creating a holistic approach to your cyber security plan using these 6 references can drastically reduce your organization’s risk. (If you don’t already have one, start creating a cyber security plan here.)

Deter

For starters, don’t have public-facing systems return automated error messages that are so detailed they give the attacker information he can use against you. For example, when a user specifies an incorrect password, do not say “Incorrect password” because it alerts the attacker that the username he entered does in fact exist. Instead, say “Incorrect username or password.” Privileged accounts (especially those with giveaway usernames such as admin, administrator, or root) will benefit from this by not giving their usernames away if an attacker guesses them properly.

You should also implement Account Lockout policies, where a user who enters the incorrect password multiple times in a row will be locked out. Give the account access again after a certain amount of time passes or after an administrator unlocks the account. This prevents attackers from guessing a large number of password combinations in a short amount of time and also deters them from trying again after they are locked out. This is especially important on privileged accounts, which may be the target of brute force attacks.

Further, you can prevent password guessing attacks by limiting the number of login attempts from a single IP address within a certain time period. If an attacker only gets 5 guesses to your administrator’s password, chances are he won’t get it right and will have to come back later to try another 5 times… and so on. As you can imagine, attackers can get discouraged by this and usually try to move on to an easier target. You can’t possibly stop every kind of attack from happening, but you can certainly impede an attacker’s progress.

Detect

It’s always a good idea to have automated intrusion detection systems in place, whether network-based or host-based, but it is also important to watch logs for suspicious behavior.

Connections from suspicious IP addresses, logins at unusual times of the day, or a high number of login attempts are all possible signs that an attacker may be trying to get in (or has already obtained access to your network). Auditing and alerts are very important in detecting suspicious behavior. For example, you could determine if a certain administrator account is falling victim to a brute force attack by checking the logs and seeing that the account has a large number of failed login attempts. When detecting suspicious behavior, it is helpful to have reference material consisting of what normal traffic looks like at a given time of the day – by having a set of data that is considered normal, you can notice abnormalities in other sets of data by comparison.

Defend

Defense is both a passive and active word when it comes to information security. The network and its systems should be secure, but what happens when an attacker finally does get in?

Establishing strong defenses across your network and its connected systems typically starts with keeping software and operating systems patched and up to date. This ensures that known vulnerabilities and weaknesses are fixed, limiting the number of possible attack vectors and attacker can use to get in to your systems.

However, if an attacker does manage to get onto your network, reactionary measures should be taken. Blocking the attacker’s IP address via a firewall is a good course of action. More importantly, notice what the attacker is targeting – if he is attacking a web server using a potential vulnerability, make sure the server is not vulnerable to it after thwarting his attempt to get in. The attacker may be back under a different IP address later and will likely continue the same line of attack. If the attacker is trying to guess the password of a privileged account, you should consider changing the name of that privileged account to hide the usernames of privileged accounts from the public – an attacker’s password guessing job is exponentially harder if he also has to guess the username.